Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and pfSense router (remote office)

• Description
• Initial conditions
• Site A configuration (VPNaaS)
• Site B configuration (pfSense)
• Tunnel function check

Description

Consider the configuration of the IPSec site-to-site VPN connection between the VPNaaS, on the cloud infrastructure side, and the pfSense-based router on the side of the remote office.

Both routers have real IP addresses on WAN interfaces, i.e. they do not use NAT.

This article contains configuration examples using a management interface (GUI)

Initial conditions

• Both nodes between which the VPN tunnel is to be built have real IP addresses.
• Site A is the cloud-based VPNaaS provided by SIM-Cloud
• Site B is the client’s infrastructure, based on pfSense.
• Each site has its own private subnetwork:
  • Site “A” - 10.5.4.0/24
  • Site “B” - 192.168.255.0/24
• VPNaaS version: 12.0.5
• pfSense version: CE-2.4.4-RELEASE-p3-amd64

Warning

Depending on the OS version of the router or software, subsequent configuring may vary.

Note

To set up a VPN connection, the following required conditions must be satisfied:

• Network availability between routers:

  • Protocol: UDP, port 500 (for IKE, to manage encryption keys).
  • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
  • Protocol: ESP, value 50 (for IPSEC).
  • Protocol: AH, value 51 (for IPSEC).

• The firewall rules must not block network traffic between the routers and the private subnetworks.

• Private subnetworks that will be connected by means of IPSec must be different and must not include each other.

“Summary table”

VPN Router	VPN Peer IP	Private Network	Private Network GW IP	Private Network Host IP
Site “A” (VPNaaS)	156.67.54.218	10.5.4.0/24	10.5.4.1/32	10.5.4.7
Site “B” (pfSense)	156.67.53.177	192.168.255.0/24	192.168.255.22/32	192.168.255.29

In this example the initial configuration of the secure IPsec site-to-site VPN connection is carried out. To do this, we link the private networks 10.5.4.0/24 and 192.168.255.0/24, situated behind the routers.

Site A configuration (VPNaaS)

The VPNaaS is configured in accordance with the instructions:

A1. Configure IKE Policy. For this step the following parameters are used:

“IKE Policy”

Name	ikepolicy
Authorization algorithm	sha1
Encryption algorithm	3des
IKE version	v2
Lifetime value for IKE keys	86400
Perfect Forward Secrecy	group5
IKE Phase1 negotiation mode	main

A2. Configure IPSec Policy. For this step the following parameters are used:

“IPsec Policy”

Name	ipsecpolicy
Authorization algorithm	sha1
Encapsulation mode	tunnel
Encryption algorithm	3des
Lifetime value for IKE keys	3600
Perfect Forward Secrecy	group5
Transform Protocol	esp

A3. Configure VPN service. For this step the following parameters are used:

“VPN service”

Name	VPNservice
Router	Select from list of cloud project routers

A4. Configure Endpoint Groups. For this step the following parameters are used:

“Endpoint Groups”

Endpoint group name	Type	Value
local_epg	SUBNET	10.5.4.0/24
remote_epg	CIDR	192.168.255.0/24

A5. Configure IPsec site connection. For this step the following parameters are used:

“IPsec site connection”

Name	ipsecsiteconn
VPN service associated with this connection	VPNservice
Endpoint group for local subnet(s)	local_epg
IKE policy associated with this connection	ikepolicy
IPsec policy associated with this connection	ipsecpolicy
Peer gateway public IPv4/IPv6 Address or FQDN	156.67.53.177
Peer router identity for authentication (Peer ID)	156.67.53.177
Endpoint group for remote peer CIDR(s)	remote_epg
Pre-Shared Key (PSK) string	Baejii9ahwoo
MTU	1500

A6. Once all these changes have been made, it can be seen that the IPsec site connection has been successfully created and has the status ‘Down’. When the tunnel is configured at the other end and successfully established, this status changes to ‘Active’.

Site B configuration (pfSense)

Guidance for configuring the VPN on the pfSense software is taken from the original chapter from the software manufacturer - “Configuring a Site-to-Site IPsec VPN”.

B1. Configuring the VPN IPsec tunnel. Phase 1

Go to ‘VPN > IPsec’ menu and press ‘+ Add P1’ on the ‘Tunnels‘ tab.

The following parameters are to be used:

General Information

Disabled	Unchecked	To enable tunnel to work, leave unchecked
Key Exchange version	V2	Must match the version specified in the VPNaaS
Internet Protocol	IPv4
Interface	WAN	An interface facing the Internet network must be selected
Remote gateway	156.67.54.218	In this case, the public IP address of the VPNaaS
Description	VPNaaS	Description

Phase 1 Proposal (Authentication)

Authentication method	Mutual PSK	Use Pre-shared Key
My identifier	My IP address	Simple identification if using a fixed IP
Peer identifier	Peer IP address	Simple identification if using a fixed IP
Pre-Shared Key	Baejii9ahwoo	Random characters, must be same as the sequence entered at the other end

Phase 1 Proposal (Encryption Algorithm)

Encryption algorithm / Algorithm	3DES	Must match the version specified in the VPNaaS
Encryption algorithm / Hash	SHA1	Must match the version specified in the VPNaaS
Encryption algorithm / DH group	5	Must match the version specified in the VPNaaS
Lifetime	86400	Must match the version specified in the VPNaaS

Advanced Options

Disable Rekey	Unchecked	Re-request key if action times out
Disable Reauth	Unchecked	For IKEv2 only re-authenticate peer on rekeying
Dead Peer Detection	Enabled	Leave settings as default

Save changes by clicking the ‘Save‘ button.

B2. Configuring the VPN IPsec tunnel. Phase 2

Go to the ‘VPN > IPsec’ menu in the ‘Tunnels‘ tab. After pressing the ‘+ Show Phase-2 entries’ button an empty list appears; here press ‘+ Add P2’ to add a record for ‘Phase 2’.

The following parameters are to be used:

General Information

Disabled	Unchecked	To enable tunnel to work, leave unchecked
Mode	Tunnel IPv4	Select Tunnel mode
Local Network / Type	LAN subnet	Route the local LAN subnet
Remote Network / Type	Network	Route a remote network
Remote Network / Address	10.5.4.0/24	The remote LAN subnet
Description	Локальная сеть в VPNaaS	Description

Phase 2 Proposal (SA/Key Exchange)

Protocol	ESP	Select ESP for encryption
Encryption algorithms	3DES	Must match the version specified in the VPNaaS
Hash algortihms	SHA1	Must match the version specified in the VPNaaS
PFS Key group	5(1536bits)	Must match the version specified in the VPNaaS
Lifetime	3600	Must match the version specified in the VPNaaS

Save your changes by clicking ‘Save’ and adopt them by clicking ‘Apply changes’.

B3. Activating the VPN IPsec tunnel.

To activate the IPsec connection go to the ‘VPN > IPsec’ menu in the ’Tunnels’ tab.

Click the Restart Service pictogram:

B4. Add rules to the firewall to allow traffic to pass through the IPsec tunnel to our local network.

To do this, go to the ‘Firewall > Rules’ menu in the ‘IPsec’ tab and add the rule according to the table:

“Edit IPsec Firewall rules”

Action	Interface	Address Family	Protocol	Source	Destination	Description
Pass	IPsec	IPv4	any	any	LAN net	Allow IPsec traffic to LAN net

Save the rule by clicking Save and adopt it by clicking ‘Apply changes’.

Tunnel function check

When these changes are complete the VPN tunnel should be established and traffic between the local networks should be able to flow through it.

This can be verified with a ping command between the hosts on opposite local networks.

Note

If the tunnel is not established, restart the VPN service from both sides.

• To check the tunnel status in pfSense, go to the ‘Status > IPsec’ menu in the ‘Overview‘ tab. Click the button ‘Show child SA entries’ to see the details for ‘Phase 2‘.
• The status of the IPsec site connection in the VPNaaS has changed to Active.